Skip to content

Commit

Permalink
build-ca: Command 'req', remove SSL option '-keyout'
Browse files Browse the repository at this point in the history 
OpenSSL command 'req', option '-keyout' behaves differently between OpenSSL
v3.x verses v1.x

When the private key is encrypted:
- v1.x ignores '-keyout' and does not create a new key.
- v3.x creates a new key with different parameters to the original key.

v3.x creates the original key, encrypted by AES-256-CBC; then creates
the unnecessary, secondary key, encrypted by DES-EDE3-CBC.

Because EasyRSA has already generated the private key, the 'req' command
must not generate a secondary key.

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
@TinCanTech
TinCanTech committed Apr 17, 2024
1 parent 3c233d2 commit 73d8416
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion easyrsa3/easyrsa
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1923,7 +1923,7 @@ build_ca: CA certificate password created via RAW"

else
easyrsa_openssl req -utf8 -new \
-key "$out_key_tmp" -keyout "$out_key_tmp" \
-key "$out_key_tmp" \
-out "$out_file_tmp" \
${ssl_batch:+ -batch} \
${x509:+ -x509} \
Expand Down

0 comments on commit 73d8416

Please sign in to comment.